Hello everyone,
I’m new at OpenSSL programming and encountered a problem while build TLS
connection. I’m working on a crypto chip ATECC508A. So the client private key
is stored in the chip and no way to get it out. However during standard TLS
handshake, I need to provide client private key by “SSL_CTX_use_private_key()”
if server needs to identify the client. Because the server will give a
“challenge” to client and client needs to encrypt it by client private key.
Then the server will decode it by client public key and check if they match.
For your reference:
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
I have written my sample client and server code. Everything works fine if I use
my own test certificates: selft-signed CA and client cert signed by CA (this
means I have the test client cert private key so that I could use
SSL_CTX_use_private_key() to import it).
The problem is here, in ATECC508A, I’m not able to provide private key directly
but have API to sign any digests. So I wonder are there any ways to do some
“modification” during handshake? I have tried following two ways:
1. Using OpenSSL Engine. I see that we could set our own algorithms inside
engine to overwrite original methods. I think signing “challenge” is at
EC_KEY_METHOD. So I write an EC_KEY_METHOD engine and load it successful.
Besides I print “enter” and “leave” at the beginning and end of every function
in EC_KEY_METHOD. When I do some tests using “ECDSA_sign”, I could see “enter”
and “leave” printed from my sign_sig and sign function. However if I run TLS
connection, nothing printed (except engine initialization log) and
authentication failed (obviously). Those means my own sign and verify functions
hasn’t been called.
2. Set callback in SSL or SLL_ctx? I have checked the source code of these two
structures but not sure how to do that.
Those are what I tried and of course failed every try. :( So could anyone point
me what should I do? Maybe I used wrong engine, missed some important callback
or others?
Best Regards,
Jim
=========
I post my client test code for your reference:
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include "openssl/eccx08_engine.h"
#include "openssl/eccx08_engine_internal.h"
int main()
{
static ENGINE *ateccx08_engine;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
PRINTF("ENGINE_load_dynamic");
ENGINE_load_dynamic();
printf("CONF_modules_load_file");
if (!CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION))
{
printf("Config failed to load");
}
printf("ENGINE_by_id");
ateccx08_engine = ENGINE_by_id("ateccx08");
if (ateccx08_engine == NULL)
{
printf("Engine failed to load");
}
// after some initialization
// load client-side cert and key, signed by intermediate cert
SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest,
SSL_FILETYPE_PEM);
// no need anymore because no way to extract private key
// SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest,
SSL_FILETYPE_PEM);
// load intermediate cert, signed by CA
X509* chaincert = X509_new();
BIO* bio_cert = BIO_new_file(SignerCertificateFileTest, "rb");
PEM_read_bio_X509(bio_cert, &chaincert, NULL, NULL);
SSL_CTX_add1_chain_cert(m_ctx, chaincert)
m_ssl = SSL_new(m_ctx);
// get_seocket is my own API
m_sock = get_socket();
SSL_set_fd(m_ssl, m_sock)
// doing handshake and build connection, however no output from ECDSA sign
algorithm
auto r = SSL_connect(m_ssl);
}
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
